1. Who we are (Controller)
The controller is Go Green Organic Clean LLC, a Florida limited-liability company, with principal place of business at [PRINCIPAL BUSINESS ADDRESS — verify in public records], Sarasota, Florida, United States.
General contact: info@gogreenorganicclean.com · (941) 271-7948. Privacy matters: legal@gogreenorganicclean.com.
2. Scope
This notice covers Personal Data (PD) we process about you when you visit our website, book cleaning services, use our customer portal, apply to be a cleaner, or communicate with us. It supplements (does not replace) our Privacy Policy.
3. Lawful basis for processing (Art. 6 GDPR)
| Purpose | Lawful basis (Art. 6(1)) | Data |
|---|---|---|
| Delivering booked cleaning services | (b) Contract | Name, address, contact, service preferences |
| Processing payment | (b) Contract + (c) Legal obligation (tax) | Stripe tokenized card, billing record |
| Sending transactional email / SMS | (b) Contract | Email, phone |
| Marketing email / SMS | (a) Consent | Email, phone, preferences |
| Website analytics | (a) Consent (opt-in via banner) | Cookies, IP (truncated) |
| Fraud prevention, security | (f) Legitimate interests | IP, session log, device fingerprint |
| Quality-assurance call review | (f) Legitimate interests + notice at start of call | Recorded voice, transcript text |
| Cleaner GPS during assigned shift | (b) Contract (employment) + (f) Legitimate interests (safety) | Precise geolocation, timestamp |
| Background checks for cleaner applicants | (c) Legal obligation + (a) Consent (FCRA) | Name, DOB, SSN, consumer report |
| Tax, accounting, insurance records | (c) Legal obligation | Invoices, payroll, COI data |
| Protecting life or property in emergency | (d) Vital interests | As needed |
4. Special category data (Art. 9)
We do not routinely process special category data (health, religion, ethnicity, trade-union status, sex life, biometrics, genetic). If a customer voluntarily discloses a health condition relevant to cleaning (e.g., fragrance allergy), we rely on explicit consent (Art. 9(2)(a)) and delete the note on request.
5. Your rights as a data subject
- Access (Art. 15) — a copy of your PD.
- Rectification (Art. 16) — correction of inaccurate PD.
- Erasure (Art. 17) — "right to be forgotten" subject to narrow legal exceptions.
- Restriction (Art. 18) — pause processing during a dispute.
- Portability (Art. 20) — structured, machine-readable export.
- Object (Art. 21) — to processing based on legitimate interests or direct marketing.
- Withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing.
- Not be subject to solely automated decisions with legal or significant effects (Art. 22).
6. International data transfers
We are based in the United States and most of our subprocessors are also US-based. We therefore rely on:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all relevant subprocessors.
- UK International Data Transfer Addendum (IDTA) or the UK Addendum to the SCCs, for transfers from the UK.
- Supplementary measures as required by the Schrems II decision: encryption in transit (TLS 1.3) and at rest, access controls, and organizational safeguards.
- The EU-US Data Privacy Framework where the subprocessor is self-certified (e.g., Stripe, Google).
Copies of the executed transfer mechanisms are available on written request to legal@gogreenorganicclean.com.
7. Retention
Retention periods mirror the 10-line schedule on our Privacy Policy. In short:
- Account info: while active plus 7 years.
- Job records & invoices: 7 years (tax / IRS).
- Cleaning photos: 2 years after job.
- Call transcripts: 1 year, then summarized.
- Marketing consent: until revoked plus 1 year.
8. Automated decision-making
We use AI (Groq / OpenAI) to summarize calls, draft customer replies, and suggest a cadence. A human always reviews the AI output before a decision that affects you (approval, denial, pricing). No solely automated decision produces legal or similarly significant effects on you.
9. DPO / Article 27 representative
We are not a public body, our core activities do not consist of large-scale regular monitoring of data subjects, and we do not large-scale process special category data. Accordingly, we have assessed that Article 37 GDPR does not require us to appoint a Data Protection Officer. Our Privacy Lead (owner / CEO, Kevin Flanagan) performs the functions on a voluntary basis. Reach the Privacy Lead at legal@gogreenorganicclean.com.
If we regularly offer services to EU/UK data subjects in the future, we will appoint an Article 27 representative. [verify / retain vendor]
10. Breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours (Art. 33).
- Notify affected data subjects without undue delay when the breach is likely to result in a high risk (Art. 34). We target within 30 days and much sooner when feasible.
- Document the breach, its effects, and remediation in our internal incident register.
11. Right to complain to a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In the UK, the authority is the Information Commissioner's Office (ico.org.uk).
English